Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Remember that crooks who have hacked into your Wi-Fi access point – at your local coffee shop, for instance – could sneakily redirect any of your HTTPS logins to phishing sites instead.

Usually, however, the crooks can’t present a digital certificate to vouch for the fake site they have drawn you into.

Sometimes, the crooks avoid the need for digital certificates altogether by dropping back to a plain old HTTP site that doesn’t use encryption at all.

You should be able to spot this sort of ruse due to the absence of any security indicators in the address bar of your browser.

Or the crooks could present a TLS certificate that claims to be from your bank, but which isn’t vouched for by any recognised certificate authority.

You should be able to spot this sort of ruse due to an “untrusted connection” warning from your browser.

But if there’s a cryptographic vulnerability that can be exploited to make a bogus digital certificate seem valid, then the crooks may be able to redirect you to an imposter site without raising any alarms.

And that could lead to the digital theft of your personal information, including usernames and passwords.

Get the latest update

If you have a software product (e.g. Firefox) that uses NSS, make sure you’ve got the latest update; for Mozilla software, that means (at 2014-09-24T23:45Z):

Firefox 32.0.3

Firefox ESR 24.8.1

Firefox ESR 31.1.1

Thunderbird 31.1.2

Thunderbird 24.8.1

SeaMonkey 2.29.1

For what it’s worth, I’m using Firefox 32 on OS X, and the update was so small I didn’t get time to read its size during the download.

Applying the update was quick: less than a second to download the patch, and a few more seconds to restart the browser process.